diff options
| -rw-r--r-- | include/net/bluetooth/l2cap.h | 3 | ||||
| -rw-r--r-- | net/bluetooth/l2cap.c | 36 |
2 files changed, 22 insertions, 17 deletions
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h index 48f10f46c73d..0f4e4234c5fa 100644 --- a/include/net/bluetooth/l2cap.h +++ b/include/net/bluetooth/l2cap.h | |||
| @@ -343,7 +343,8 @@ struct l2cap_pinfo { | |||
| 343 | __u8 remote_max_tx; | 343 | __u8 remote_max_tx; |
| 344 | __u16 retrans_timeout; | 344 | __u16 retrans_timeout; |
| 345 | __u16 monitor_timeout; | 345 | __u16 monitor_timeout; |
| 346 | __u16 max_pdu_size; | 346 | __u16 remote_mps; |
| 347 | __u16 mps; | ||
| 347 | 348 | ||
| 348 | __le16 sport; | 349 | __le16 sport; |
| 349 | 350 | ||
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index c50c05738fb6..94be5dbb2569 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c | |||
| @@ -1606,21 +1606,21 @@ static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, siz | |||
| 1606 | 1606 | ||
| 1607 | __skb_queue_head_init(&sar_queue); | 1607 | __skb_queue_head_init(&sar_queue); |
| 1608 | control = L2CAP_SDU_START; | 1608 | control = L2CAP_SDU_START; |
| 1609 | skb = l2cap_create_iframe_pdu(sk, msg, pi->max_pdu_size, control, len); | 1609 | skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len); |
| 1610 | if (IS_ERR(skb)) | 1610 | if (IS_ERR(skb)) |
| 1611 | return PTR_ERR(skb); | 1611 | return PTR_ERR(skb); |
| 1612 | 1612 | ||
| 1613 | __skb_queue_tail(&sar_queue, skb); | 1613 | __skb_queue_tail(&sar_queue, skb); |
| 1614 | len -= pi->max_pdu_size; | 1614 | len -= pi->remote_mps; |
| 1615 | size +=pi->max_pdu_size; | 1615 | size += pi->remote_mps; |
| 1616 | control = 0; | 1616 | control = 0; |
| 1617 | 1617 | ||
| 1618 | while (len > 0) { | 1618 | while (len > 0) { |
| 1619 | size_t buflen; | 1619 | size_t buflen; |
| 1620 | 1620 | ||
| 1621 | if (len > pi->max_pdu_size) { | 1621 | if (len > pi->remote_mps) { |
| 1622 | control |= L2CAP_SDU_CONTINUE; | 1622 | control |= L2CAP_SDU_CONTINUE; |
| 1623 | buflen = pi->max_pdu_size; | 1623 | buflen = pi->remote_mps; |
| 1624 | } else { | 1624 | } else { |
| 1625 | control |= L2CAP_SDU_END; | 1625 | control |= L2CAP_SDU_END; |
| 1626 | buflen = len; | 1626 | buflen = len; |
| @@ -1701,7 +1701,7 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms | |||
| 1701 | case L2CAP_MODE_ERTM: | 1701 | case L2CAP_MODE_ERTM: |
| 1702 | case L2CAP_MODE_STREAMING: | 1702 | case L2CAP_MODE_STREAMING: |
| 1703 | /* Entire SDU fits into one PDU */ | 1703 | /* Entire SDU fits into one PDU */ |
| 1704 | if (len <= pi->max_pdu_size) { | 1704 | if (len <= pi->remote_mps) { |
| 1705 | control = L2CAP_SDU_UNSEGMENTED; | 1705 | control = L2CAP_SDU_UNSEGMENTED; |
| 1706 | skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0); | 1706 | skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0); |
| 1707 | if (IS_ERR(skb)) { | 1707 | if (IS_ERR(skb)) { |
| @@ -2330,7 +2330,7 @@ done: | |||
| 2330 | rfc.monitor_timeout = 0; | 2330 | rfc.monitor_timeout = 0; |
| 2331 | rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE); | 2331 | rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE); |
| 2332 | if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10) | 2332 | if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10) |
| 2333 | rfc.max_pdu_size = pi->conn->mtu - 10; | 2333 | rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); |
| 2334 | 2334 | ||
| 2335 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, | 2335 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, |
| 2336 | sizeof(rfc), (unsigned long) &rfc); | 2336 | sizeof(rfc), (unsigned long) &rfc); |
| @@ -2353,7 +2353,7 @@ done: | |||
| 2353 | rfc.monitor_timeout = 0; | 2353 | rfc.monitor_timeout = 0; |
| 2354 | rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE); | 2354 | rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE); |
| 2355 | if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10) | 2355 | if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10) |
| 2356 | rfc.max_pdu_size = pi->conn->mtu - 10; | 2356 | rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); |
| 2357 | 2357 | ||
| 2358 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, | 2358 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, |
| 2359 | sizeof(rfc), (unsigned long) &rfc); | 2359 | sizeof(rfc), (unsigned long) &rfc); |
| @@ -2482,7 +2482,10 @@ done: | |||
| 2482 | case L2CAP_MODE_ERTM: | 2482 | case L2CAP_MODE_ERTM: |
| 2483 | pi->remote_tx_win = rfc.txwin_size; | 2483 | pi->remote_tx_win = rfc.txwin_size; |
| 2484 | pi->remote_max_tx = rfc.max_transmit; | 2484 | pi->remote_max_tx = rfc.max_transmit; |
| 2485 | pi->max_pdu_size = rfc.max_pdu_size; | 2485 | if (rfc.max_pdu_size > pi->conn->mtu - 10) |
| 2486 | rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10); | ||
| 2487 | |||
| 2488 | pi->remote_mps = le16_to_cpu(rfc.max_pdu_size); | ||
| 2486 | 2489 | ||
| 2487 | rfc.retrans_timeout = L2CAP_DEFAULT_RETRANS_TO; | 2490 | rfc.retrans_timeout = L2CAP_DEFAULT_RETRANS_TO; |
| 2488 | rfc.monitor_timeout = L2CAP_DEFAULT_MONITOR_TO; | 2491 | rfc.monitor_timeout = L2CAP_DEFAULT_MONITOR_TO; |
| @@ -2495,7 +2498,10 @@ done: | |||
| 2495 | break; | 2498 | break; |
| 2496 | 2499 | ||
| 2497 | case L2CAP_MODE_STREAMING: | 2500 | case L2CAP_MODE_STREAMING: |
| 2498 | pi->max_pdu_size = rfc.max_pdu_size; | 2501 | if (rfc.max_pdu_size > pi->conn->mtu - 10) |
| 2502 | rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10); | ||
| 2503 | |||
| 2504 | pi->remote_mps = le16_to_cpu(rfc.max_pdu_size); | ||
| 2499 | 2505 | ||
| 2500 | pi->conf_state |= L2CAP_CONF_MODE_DONE; | 2506 | pi->conf_state |= L2CAP_CONF_MODE_DONE; |
| 2501 | 2507 | ||
| @@ -2574,11 +2580,10 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, | |||
| 2574 | pi->remote_tx_win = rfc.txwin_size; | 2580 | pi->remote_tx_win = rfc.txwin_size; |
| 2575 | pi->retrans_timeout = rfc.retrans_timeout; | 2581 | pi->retrans_timeout = rfc.retrans_timeout; |
| 2576 | pi->monitor_timeout = rfc.monitor_timeout; | 2582 | pi->monitor_timeout = rfc.monitor_timeout; |
| 2577 | pi->max_pdu_size = le16_to_cpu(rfc.max_pdu_size); | 2583 | pi->mps = le16_to_cpu(rfc.max_pdu_size); |
| 2578 | break; | 2584 | break; |
| 2579 | case L2CAP_MODE_STREAMING: | 2585 | case L2CAP_MODE_STREAMING: |
| 2580 | pi->max_pdu_size = le16_to_cpu(rfc.max_pdu_size); | 2586 | pi->mps = le16_to_cpu(rfc.max_pdu_size); |
| 2581 | break; | ||
| 2582 | } | 2587 | } |
| 2583 | } | 2588 | } |
| 2584 | 2589 | ||
| @@ -3753,7 +3758,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk | |||
| 3753 | * Receiver will miss it and start proper recovery | 3758 | * Receiver will miss it and start proper recovery |
| 3754 | * procedures and ask retransmission. | 3759 | * procedures and ask retransmission. |
| 3755 | */ | 3760 | */ |
| 3756 | if (len > L2CAP_DEFAULT_MAX_PDU_SIZE) | 3761 | if (len > pi->mps) |
| 3757 | goto drop; | 3762 | goto drop; |
| 3758 | 3763 | ||
| 3759 | if (l2cap_check_fcs(pi, skb)) | 3764 | if (l2cap_check_fcs(pi, skb)) |
| @@ -3784,8 +3789,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk | |||
| 3784 | if (pi->fcs == L2CAP_FCS_CRC16) | 3789 | if (pi->fcs == L2CAP_FCS_CRC16) |
| 3785 | len -= 2; | 3790 | len -= 2; |
| 3786 | 3791 | ||
| 3787 | if (len > L2CAP_DEFAULT_MAX_PDU_SIZE || len < 4 | 3792 | if (len > pi->mps || len < 4 || __is_sframe(control)) |
| 3788 | || __is_sframe(control)) | ||
| 3789 | goto drop; | 3793 | goto drop; |
| 3790 | 3794 | ||
| 3791 | if (l2cap_check_fcs(pi, skb)) | 3795 | if (l2cap_check_fcs(pi, skb)) |